Andy -- also check in your /WEB-INF/login.conf; the Kerberos params are also
read there... you should have something like:
jcifs.spnego.initiate {
com.sun.security.auth.module.Krb5LoginModule required debug=true
storeKey=true;
};
jcifs.spnego.accept {
com.sun.security.auth.module.Krb5LoginModule required debug=true
storeKey=true;
};
I agree that it looks like your SpnegoNegociateCredentialsAction class isn't
outputting any logging -- someone else on the list might be able to help a
bit more with why that is? The other thing I'd look at is whether any of
the output you're looking for is going somewhere else (like catalina.log,
instead of wherever you have log4j pointing to)...
- Bill
On Tue, Apr 13, 2010 at 11:57 AM, Andy Speagle <[email protected]> wrote:
> Ok..
>
> This is the relevant portion of the log concerning that class:
> 2010-04-13 09:45:42,448 DEBUG
> [org.springframework.webflow.engine.ActionExecutor] - Executing
> [annotatedact...@1cfd7c targetActi
> on =
> org.jasig.cas.support.spnego.web.flow.spnegonegociatecredentialsact...@6f45d7f2,
> attributes = map[[empty]]] in state 'start
> in-webflow'
> 2010-04-13 09:45:42,448 DEBUG
> [org.springframework.webflow.engine.ActionExecutor] - Executing
> [annotatedact...@1cfd7c targetActi
> on =
> org.jasig.cas.support.spnego.web.flow.spnegonegociatecredentialsact...@6f45d7f2,
> attributes = map[[empty]]] in state 'start
> Authenticate' of flow 'login-webflow'
> 2010-04-13 09:45:42,449 DEBUG
> [org.springframework.webflow.engine.impl.RequestControlContextImpl] -
> Signaling event 'success' in
> state 'startAuthenticate' of flow 'login-webflow'
> 2010-04-13 09:45:42,449 DEBUG
> [org.springframework.webflow.engine.Transition] - Executing
> [transit...@526489f0 on = [eventId = '
> success'], to = spnego] out of state 'startAuthenticate'
> 2010-04-13 09:45:42,449 DEBUG
> [org.springframework.webflow.engine.ActionState] - Entering state 'spnego'
> of flow 'login-webflow'
> 2010-04-13 09:45:42,449 DEBUG
> [org.springframework.webflow.engine.ActionExecutor] - Executing
> [annotatedact...@469c15d2 targetAc
> tion =
> org.jasig.cas.support.spnego.web.flow.spnegocredentialsact...@315cb235,
> attributes = map[[empty]]] in state 'spnego' of f
> low 'login-webflow'
> 2010-04-13 09:45:42,449 DEBUG
> [org.springframework.webflow.engine.impl.RequestControlContextImpl] -
> Signaling event 'error' in s
> tate 'spnego' of flow 'login-webflow'
> 2010-04-13 09:45:42,449 DEBUG
> [org.springframework.webflow.engine.Transition] - Executing
> [transit...@3cb7cee4 on = [eventId = 'error'], to = viewLoginForm] out of
> state 'spnego'
> 2010-04-13 09:45:42,449 DEBUG
> [org.springframework.webflow.engine.ViewState] - Entering state
> 'viewLoginForm' of flow 'login-webflow'
> 2010-04-13 09:45:42,449 DEBUG
> [org.springframework.webflow.engine.ActionExecutor] - Executing
> [annotatedact...@476ff9e0 targetAction =
> org.jasig.cas.web.flow.authenticationviaformact...@87e05c4, attributes =
> map['method' -> 'setupForm']] in state 'viewLoginForm' of flow
> 'login-webflow'
> 2010-04-13 09:45:42,458 DEBUG
> [org.springframework.webflow.engine.ActionExecutor] - Executing
> [annotatedact...@32db4c8d targetAction =
> org.jasig.cas.web.flow.authenticationviaformact...@87e05c4, attributes =
> map['method' -> 'referenceData']] in state 'viewLoginForm' of flow
> 'login-webflow'
>
> ... the only thing I see is the error assertion in the spnego state of the
> flow.
>
> I don't have a "jcifs" bean... but rather a "jcifsConfig" bean defined...
> as follows:
>
> <bean name="jcifsConfig"
> class="org.jasig.cas.support.spnego.authentication.handler.support.JCIFSConfig">
> <property name="jcifsServicePrincipal"
> value="HTTP/[email protected]" />
> <property name="jcifsServicePassword" value="********" />
>
> <property name="kerberosDebug" value="true" />
> <property name="kerberosRealm" value="REALM.FOO.BAR" />
> <property name="kerberosKdc" value="xxx.xxx.xxx.xxx" />
> <property name="kerberosConf" value="/etc/krb5.conf" />
> <property name="loginConf" value="/WEB-INF/login.conf" />
> </bean>
>
> Which is why I thought I had kerberos debugging turned on... but given you
> assertion that it might be moot since the kerberos exchange might not be
> happening... I think that's where I'm sitting. However, I'll try turning on
> the krb5 debugging in tomcat.
>
> Thoughts?
>
> -Andy
>
> On Tue, Apr 13, 2010 at 10:23 AM, William Markmann <
> [email protected]> wrote:
>
>> When you hit the protected URL of your webapp, you should be redirected to
>> CAS. It will try to pick up your identity in the class cas.support.
>> spnego.web.flow.SpnegoCredentialsAction -- are you seeing logging output
>> from that class? That's where you'll want to start looking. When an actual
>> Kerberos exchange takes place, if you have Kerberos debugging on, it will
>> spit out a bunch of useful info. Getting THAT debugging info varies from
>> server to server. In Tomcat, I'd check a couple things:
>>
>> - look at */WEB-INF/deployerConfigContext.xml*... You should have a
>> 'jcifs' bean defined; make sure that you set a property there like:
>>
>> <property name="kerberosDebug" value="true" />
>>
>> - in Tomcat's startup, you can also set (in your JAVA_OPTS):
>>
>> -Dsun.security.krb5.debug=true
>>
>> ...but this setting might vary depending on the security manager; I think
>> I've set that in the past and it dumps the Kerberos exchange debugging to
>> stdout or stderr. Let me know if neither of those works, and I'll dig
>> around a little more to see how I got debugging working in the past. The
>> problem that I've run into several times is that a Kerberos exchange isn't
>> taking place at all, making the Kerberos debugging a moot point (you can
>> tell that from the logging output of SpnegoCredentialsAction, described
>> above -- that why I suggest starting there).
>>
>> - Bill
>>
>> On Tue, Apr 13, 2010 at 11:05 AM, Andy Speagle <[email protected]> wrote:
>>
>>> Hi Bill,
>>>
>>> Ok, well... at least I had a good understanding of the webapp logging
>>> configuration. This was already done. But yes, I'm trying to get the
>>> spnego/kerberos logging information. I can't seem to reason that out. I'm
>>> using tomcat5 on RHEL5. I appreciate the assist.
>>>
>>> -Andy
>>> --
>>> You are currently subscribed to [email protected] as:
>>> [email protected]
>>>
>>> To unsubscribe, change settings or access archives, see
>>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>>
>>
>>
>>
>> --
>> Bill Markmann
>>
>> Counterpoint Consulting, Inc.
>> (p) 571-338-2455
>> (f) 202-403-3425
>> (e) [email protected]
>> (w) http://www.counterpointconsulting.com/
>>
>> --
>>
>> You are currently subscribed to [email protected] as: [email protected]
>>
>>
>> To unsubscribe, change settings or access archives, see
>> http://www.ja-sig.org/wiki/display/JSG/cas-user
>>
>>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
--
Bill Markmann
Counterpoint Consulting, Inc.
(p) 571-338-2455
(f) 202-403-3425
(e) [email protected]
(w) http://www.counterpointconsulting.com/
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
